HackDig : Dig high-quality web security articles for hacker

Police forces across the UK are using secret data extraction technology to analyze smartphones, but poor training and security practices and an absence of audit trails could be putting user privacy and data security at risk, it has emerged.

It discovered at least 28 forces have contracts with controversial Israeli ‘mobile forensics’ firm Cellebrite for technology to extract data from devices to help with investigations.

These increasingly affordable tools are being used with ever-greater frequency due to a backlog of devices to be searched. In fact, many forces have apparently set-up “kiosks” in police stations where officers can plug in handsets and download data in question.

Documents seen by the paper reveal such tech has been rolled out on a mass scale with hundreds of frontline officers trained up – the intention being to speed investigations, but only for low-level crimes such as traffic offenses and intent to supply.

However, a 2015 North Yorkshire police report seen by the paper revealed major concerns, including a worrying lack of oversight of local police examiners.

A staggering half of all mobile phone searches appraised by the report lacked an authorization warrant, and in 26% of cases the data downloads were undertaken in relation to serious crimes like murder and sexual assault – potentially undermining these investigations.

What’s more, in some cases evidence was left unencrypted, putting it at risk of loss, theft and/or misappropriation.

It’s unclear just how much data is hoovered up by the Cellebrite tech in these investigations, but it has the capacity to crack passcodes and then download text messages, emails, contacts, photos, videos and GPS data in minutes.

It was suspected last year that the FBI hired Cellebrite when it was looking to crack the iPhone belonging to the deceased San Bernardino gunman.

Data is downloaded and stored for an indefinite period, regardless of whether charges are brought – further fueling privacy concerns.

A Metropolitan Police 2015 procurement document refers to the “ingestion of data from tens of thousands of digital devices annually at dozens of different locations” and “maintenance [of the data] for an indefinite period extending for many years.”

Police have been characteristically tight-lipped on their use of such technology, as they have been in the past with the use of Stingrays in investigations.

“The police have lost files, undermined serious investigations and failed to safeguard people's personal data. We need transparency about current practices, procedures and failings. Across the country the police have expanded their use of mobile phone extraction on the quiet, and it is unclear what effective oversight exists,” argued Privacy International legal officer, Millie Graham Wood.

“The bigger issue is whether traditional search practices, where no warrant is required, should be applied to mobile phones, which can contain a massive amount of highly personal data. Modern mobile phones are not just phones, but mini computers, cameras, video players, calendars, recorders, libraries, diaries, albums, maps all in one. Thus, searching a mobile phone cannot accurately be compared to a search of the home, let alone a physical search. It is far more exhaustive.”

This could hypothetically put the data collected by UK police via Cellebrite products at risk.

“While the 900 GB of data hasn’t been released publicly, it’s safe to assume that the information is highly sensitive. Besides customer information, the hackers managed to retrieve technical data, which could have serious repercussions if it were to fall into the wrong hands,” argued ThinAir CEO, Tony Gauda.

“Incidents such as this are the cyber equivalent of robbing a gun store, and I wouldn’t be surprised if the proprietary info stolen eventually made its way online. Demand for advanced hacking tools and techniques has never been higher and until these firms start securing their digital arsenals with technology capable of rendering data useless when it’s compromised, they will continue to find themselves in the crosshairs of hackers.”